Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.cloudsecurityalliance.org Copyright © 2014 Cloud Security Alliance Security Certification for Cloud Services : The CSA STAR Certification Daniele Catteddu,

Published byShaylee Cundy Modified over 9 years ago

Similar presentations

Presentation on theme: "Www.cloudsecurityalliance.org Copyright © 2014 Cloud Security Alliance Security Certification for Cloud Services : The CSA STAR Certification Daniele Catteddu,"— Presentation transcript:

1 www.cloudsecurityalliance.org Copyright © 2014 Cloud Security Alliance Security Certification for Cloud Services : The CSA STAR Certification Daniele Catteddu, CSA Managing Director EMEA and OCF Program Director

2 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance Cloud BARRIERS (Perceived) Loss of control Lack of clarity around the definition and attribution of responsibilities and liabilities Difficulties achieving accountability across the cloud supply chain Incoherent global (and even sometimes regional and national) legal framework and compliance regimes Copyright © 2014 Cloud Security Alliance

3 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance ….and more barriers The lack of transparency of some service providers or brokers Lack of clarity in Service Level Agreements Lack of interoperability. Lack of awareness and expertise Copyright © 2014 Cloud Security Alliance

4 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance

5 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance OPENNESS & TRANSPARENCY

6 Copyright © 2012 BSI. All rights reserved. www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Open Certification Framework The CSA Open Certification Framework is an industry initiative to allow global, accredited, trusted certification of cloud providers. Copyright © 2014 Cloud Security Alliance

7 Copyright © 2012 BSI. All rights reserved. www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance CSA STAR: Security, Trust & Assurance Registry Launched in 2011, the CSA STAR is the first step in improving transparency and assurance in the cloud. The STAR is a publicly accessible registry that documents the security controls provided by cloud computing offerings Helps users to assess the security of cloud providers Searchable registry to allow cloud customers to review the security practices of providers, accelerating their due diligence and leading to higher quality procurement experiences. It is based on a multilayered structure defined by Open Certification Framework Working Group Copyright © 2014 Cloud Security Alliance

8 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance Minimum Common Denominator

9 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Cloud Control Matrix Cloud specific: Security Control Framework designed with Cloud in mind Global effort: developed with the contribution of more than 500 subject matter experts Widely adopted by thousands of companies and Government Structured in 16 domains and 136 controls Ensure due care is taken in the cloud provider supply chain It is mapped against all the other relevant standards: ISO 27001, COBIT, HIPAA, NIST SP800-53, FedRamp, PCI, BITS, GAPP, Jericho Forum, NERC CIP, ENISA IAF, etc Flexible: It will be updated to keep pace with changes. Wants to drive continuous improvement Freely available on CSA web site: please download it, use it, try to break it if you can…and then tell us if we need to change anything.. Copyright © 2014 Cloud Security Alliance

10 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance CCM V 3 Domains 1.Application and Interface Security (AIS) - 6 Controls 2.Audit, Assurance and Compliance (AAC) - 3 Controls 3.Business Continuity and Management Resilience (BCR) – 13 Controls 4.Change Control and Configuration Management (CCC) – 6 Controls 5.Data Center Security (DCS)– 8 Controls 6.Data Security & Information Lifecycle Management (DSI) – 9 Controls 7.Encryption and Key Management (EKM) – 4 Controls 8.Governance and Risk Management (GRM) - 12 Controls 9.Human Resources Security (HRS) – 13 Controls 10.Identity and Access Management (IAM) – 13 Controls 11.Interoperability and Portability (IPY) - 4 Controls 12.Infrastructure and Virtualization Security (IVS) - 13 Controls 13.Mobile Security (MOS) – 20 Controls 14.Security Incident Management –e-Discovery Cloud Forensics (SEF) – 5 Controls 15.Supply Chain Management, Transparency and Accountability (STA) -10 Controls 16.Threat and Vulnerability Management (TVM) – 3 Controls Copyright © 2014 Cloud Security Alliance

11 Copyright © 2012 BSI. All rights reserved. www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Open Certification Framework The CSA Open Certification Framework is an industry initiative to allow global, accredited, trusted certification of cloud providers. Copyright © 2014 Cloud Security Alliance

12 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Self Assessments based on Consensus Assessments Initiative Questionnaire and Cloud Control Matrix Voluntary industry action promoting transparency Open to ALL cloud providers Since the initial launch at the end of had tremendous growth 59 entries: including Amazon Web Services, Box.com, HP, Microsoft, Ping Identity, Red Hat, IntracomTelecom, Symantec, Terremark and many others Copyright © 2014 Cloud Security Alliance

13 Copyright © 2012 BSI. All rights reserved. www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Open Certification Framework The CSA Open Certification Framework is an industry initiative to allow global, accredited, trusted certification of cloud providers. Copyright © 2014 Cloud Security Alliance

14 Copyright © 2012 BSI. All rights reserved. www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Open Certification Framework The CSA Open Certification Framework is an industry initiative to allow global, accredited, trusted certification of cloud providers. Copyright © 2014 Cloud Security Alliance

15 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance CSA STAR Continuous will be based on a continuous auditing/assessment of relevant security properties. It will built on the following CSA best practices/standards: Cloud Control Matrix (CCM) Cloud Trust Protocol (CTP) CloudAudit (A6) CSA STAR Continuous is currently under development and the target date of delivery is 2015. Copyright © 2014 Cloud Security Alliance

16 Copyright © 2012 BSI. All rights reserved. www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Open Certification Framework The CSA Open Certification Framework is an industry initiative to allow global, accredited, trusted certification of cloud providers. Copyright © 2014 Cloud Security Alliance

17 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2014 Cloud Security Alliance

18 Copyright © 2012 BSI. All rights reserved. www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance The CSA STAR Certification is a rigorous third party independent assessment of the security of a cloud service provider. Technology-neutral certification leverages the requirements of the ISO/IEC 27001:2005 & the CSA CCM Integrates ISO/IEC 27001:2005 with the CSA CCM as additional or compensating controls. Measures the capability levels of the cloud service. It assigns a ‘Management Capability’ score to each of the CCM security domains. Copyright © 2014 Cloud Security Alliance

19 Copyright © 2012 BSI. All rights reserved. www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance Evaluates the efficiency of an organization’s ISMS and ensures the scope, processes and objectives are “Fit for Purpose.” Help organizations prioritize areas for improvement and lead them towards business excellence. Enables effective comparison across other organizations in the applicable sector. Based upon the Plan, Do, Check, Act (PDCA) approach Enables the auditor to assess a company’s performance, on long-term sustainability and risks, in addition to ensuring they are SLA driven. Developed by CSA with the support of British Standard Institute (BSI) Copyright © 2014 Cloud Security Alliance

20 Copyright © 2012 BSI. All rights reserved. www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org WHY CSA STAR Certification builds on ISO27001? Help organizations prioritize areas for improvement and lead them towards business excellence. ISO 27001 is the international standard for information security Considered as Gold Standard for information security There are over 17,500 organisations certified globally in over 120 countries. Copyright © 2014 Cloud Security Alliance

21 Copyright © 2012 BSI. All rights reserved. www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance ISO 27001 is updated every 8 years – the controls become obsolete faster than that It is a one size fits all standard but there are some industry specific concerns it does not cover, ie it is not Cloud relevant Any standard can become a lowest common denominator People can certify any scope they like within their organisation to mislead clients It doesn't support transparency Copyright © 2014 Cloud Security Alliance

22 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security AllianceCopyright © 2014 Cloud Security Alliance

23 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Next steps Pilot CloudTrust Protocol (CTP) Integrate CTP in the Open Certification Framework (STAR Continuous) Integrate Privacy Level Agreement into the Open Certification Framework For more info on CSA Privacy Level Agreement results please check: https://cloudsecurityalliance.org/research/pla/https://cloudsecurityalliance.org/research/pla/ Copyright © 2014 Cloud Security Alliance

24 Copyright © 2012 BSI. All rights reserved. www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance In summary Transparency, assurance and accountability are the key elements to increase trust in cloud computing Security certifications could be good tool to increase trust, ONLY if: Auditors are qualified and properly certified The control framework used as underlying standard is relevant The control framework is publicly available and it’s capability to address requirements can be verified. There scheme support transparency (e.g via publication of scope and SoA) Different assurance need are supported (e.g. self certification – 3 rd party assessment – continuous monitoring). Certifications need to be affordable for Small and Medium companies CSA Open Certification Framework and STAR Certification provides all the above. Copyright © 2014 Cloud Security Alliance

25 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgContacts Help Us Secure Cloud Computing www.cloudsecurityalliance.org info@cloudsecurityalliance.org dcatteddu@cloudsecurityalliance.org LinkedIn: www.linkedin.com/groups?gid=1864210www.linkedin.com/groups?gid=1864210 Twitter: @cloudsa STAR: https://cloudsecurityalliance.org/star/https://cloudsecurityalliance.org/star/ OCF: https://cloudsecurityalliance.org/research/ocf/ CUMULUS: http://www.cumulus-project.eu A4Cloud:http://www.a4cloud.eu Copyright © 2014 Cloud Security Alliance

26 SEE YOU @ CALL FOR PAPERS CLOSES 16TH MAY FULL DETAILS: www.cloudsecuritycongress.comwww.cloudsecuritycongress.com CONTACT: Chris Clarke cclarke@mistieurope.comcclarke@mistieurope.com

27 www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance THANK YOU!

Download ppt "Www.cloudsecurityalliance.org Copyright © 2014 Cloud Security Alliance Security Certification for Cloud Services : The CSA STAR Certification Daniele Catteddu,"

Similar presentations

Www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance DANIELE CATTEDDU CSA Managing Director EMEA.

Copyright © 2011 Cloud Security Alliance DANIELE CATTEDDU CSA Managing Director EMEA.
Thanks to Microsoft Azure’s Scalability, BA Minds Delivers a Cost-Effective CRM Solution to Small and Medium-Sized Enterprises in Latin America MICROSOFT.

Thanks to Microsoft Azure’s Scalability, BA Minds Delivers a Cost-Effective CRM Solution to Small and Medium-Sized Enterprises in Latin America MICROSOFT.
Cloud Security Alliance Research & Roadmap June 2012

Cloud Security Alliance Research & Roadmap June 2012
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server 2008. Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
Www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance Cloud Controls Matrix Work Group Session Sean Cordero President of Cloudwatchmen,

Copyright © 2011 Cloud Security Alliance Cloud Controls Matrix Work Group Session Sean Cordero President of Cloudwatchmen,
Bill McClanahan – Principal Business Consultant LPS Integration.

Bill McClanahan – Principal Business Consultant LPS Integration.
Www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance CSA Speed Talk: “STAR &CCSK – An Update on Provider and User Certification”

Copyright © 2013 Cloud Security Alliance CSA Speed Talk: “STAR &CCSK – An Update on Provider and User Certification”
Cloud Security Challenges Today and Tomorrow NameTitle February 2011.

Cloud Security Challenges Today and Tomorrow NameTitle February 2011.
Www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance Keynote.

Copyright © 2011 Cloud Security Alliance Keynote.
Www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance.

Copyright © 2011 Cloud Security Alliance.
Accredited Third Party Certification and Food Safety Management Systems Jill Hollingsworth, DVM Group Vice President Food Marketing Institute.

Accredited Third Party Certification and Food Safety Management Systems Jill Hollingsworth, DVM Group Vice President Food Marketing Institute.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Security Controls – What Works

Security Controls – What Works
1 DCS860A Emerging Technology Physical layer transparency in Cloud Computing (rev. 12-16-11)

1 DCS860A Emerging Technology Physical layer transparency in Cloud Computing (rev )
CloudAudit Working Group Update April 2011. CloudAudit Charter Provide a common interface and namespace that allows cloud computing providers to automate.

CloudAudit Working Group Update April CloudAudit Charter Provide a common interface and namespace that allows cloud computing providers to automate.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Building trust in the Cloud: the CSA perspective Daniele Catteddu, Managing Director EMEA & OCF-STAR Program Director Cloud Security Alliance © Cloud Security.

Building trust in the Cloud: the CSA perspective Daniele Catteddu, Managing Director EMEA & OCF-STAR Program Director Cloud Security Alliance © Cloud Security.
Achieving Security Assurance and Compliance in the Cloud Jim Reavis Executive Director.

Achieving Security Assurance and Compliance in the Cloud Jim Reavis Executive Director.
Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott.

Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott.

Similar presentations

Ads by Google